Managing Rogue Devices

Finding Feature
Information

Your software release may not support all the features documented in
this module. For the latest caveats and feature information, see Bug Search
Tool and the release notes for your platform and software release. To find
information about the features documented in this module, and to see a list of
the releases in which each feature is supported, see the feature information
table at the end of this module.

Use Cisco Feature Navigator to find information about platform support
and Cisco software image support. To access Cisco Feature Navigator, go to
http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is
not required.

Information About Rogue Devices

Rogue access points can
disrupt wireless LAN operations by hijacking legitimate clients and using
plain-text or other denial-of-service or man-in-the-middle attacks. That is, a
hacker can use a rogue access point to capture sensitive information, such as
usernames and passwords. The hacker can then transmit a series of Clear to Send
(CTS) frames. This action mimics an access point, informing a particular client
to transmit, and instructing all the other clients to wait, which results in
legitimate clients being unable to access network resources. Wireless LAN
service providers have a strong interest in banning rogue access points from
the air space.

Because rogue access points
are inexpensive and readily available, employees sometimes plug unauthorized
rogue access points into existing LANs and build ad hoc wireless networks
without their IT department's knowledge or consent. These rogue access points
can be a serious breach of network security because they can be plugged into a
network port behind the corporate firewall. Because employees generally do not
enable any security settings on the rogue access point, it is easy for
unauthorized users to use the access point to intercept network traffic and
hijack client sessions. Even more alarming, wireless users frequently publish
unsecured access point locations, increasing the odds of having enterprise
security breached.

The following are some
guidelines to manage rogue devices:

The containment frames are
sent immediately after the authorization and associations are detected. The
enhanced containment algorithm provides more effective containment of ad hoc
clients.

The
local mode access points
are designed to serve associated clients. These access
points spend relatively less time performing off-channel scanning: about 50
milliseconds on each channel. If you want to perform high rogue detection, a
monitor mode access point must be used. Alternatively, you can reduce the scan
intervals from 180 seconds to a lesser value, for example, 120 or 60 seconds,
ensuring that the radio goes off-channel more frequently, which improves the
chances of rogue detection. However, the access point will still spend about 50
milliseconds on each channel.

Rogue detection is disabled
by default for OfficeExtend access points because these access points, which
are deployed in a home environment, are likely to detect a large number of
rogue devices.

RLDP detects
rogue access points that use a broadcast Basic Service Set Identifier (BSSID),
that is, the access point broadcasts its Service Set Identifier in beacons.

RLDP detects only
those rogue access points that are on the same network. If an access list in
the network prevents the sending of RLDP traffic from the rogue access point to
the controller, RLDP does not work.

RLDP does not
work on 5-GHz dynamic frequency selection (DFS) channels. However, RLDP works
when the managed access point is in the monitor mode on a DFS channel.

If RLDP is enabled
on mesh APs, and the APs perform RLDP tasks, the mesh APs are dissociated from
the controller. The workaround is to disable RLDP on mesh APs.

If RLDP is enabled
on nonmonitor APs, client connectivity outages occur when RLDP is in process.

If the rogue is
manually contained, the rogue entry is retained even after the rogue expires.

If the rogue is
contained by any other means, such as auto, rule, and AwIPS preventions, the
rogue entry is deleted when it expires.

The controller
will request to AAA server for rogue client validation only once. As a result,
if rogue client validation fails on the first attempt then the rogue client
will not be detected as a threat any more. To avoid this, add the valid client
entries in the authentication server before enabling
Validate
Rogue Clients Against AAA.

In the 7.4 and
earlier releases, if a rogue that was already classified by a rule was not
reclassified. In the 7.5 release, this behavior is enhanced to allow
reclassification of rogues based on the priority of the rogue rule. The
priority is determined by using the rogue report that is received by the
controller.

The rogue detector AP fails
to co-relate and contain the wired rogue AP on a 5Mhz channel because the MAC
address of the rogue AP for WLAN, LAN, 11a radio and 11bg radio are configured
with a difference of +/-1 of the rogue BSSID. In the 8.0 release, this behavior
is enhanced by increasing the range of MAC address, that the rogue detector AP
co-relates the wired ARP MAC and rogue BSSID, by +/-3.

Rogue
Location Discovery Protocol

Rogue Location
Discovery Protocol (RLDP) is an active approach, which is used when rogue AP
has no authentication (Open Authentication) configured. This mode, which is
disabled by default, instructs an active AP to move to the rogue channel and
connect to the rogue as a client. During this time, the active AP sends
de-authentication messages to all connected clients and then shuts down the
radio interface. Then, it associates to the rogue AP as a client. The AP then
tries to obtain an IP address from the rogue AP and forwards a User Datagram
Protocol (UDP) packet (port 6352) that contains the local AP and rogue
connection information to the controller through the rogue AP. If the
controller receives this packet, the alarm is set to notify the network
administrator that a rogue AP was discovered on the wired network with the RLDP
feature.

RLDP has 100 %
accuracy in rouge AP detection. It detects Open APs and NAT APs.

Note

Use the
debug dot11
rldp enable command in order to check if the Lightweight AP associates and
receives a DHCP address from the rogue AP. This command also displays the UDP
packet sent by the Lightweight AP to the controller.

The first 5 bytes
of the data contain the DHCP address given to the local mode AP by the rogue
AP. The next 5 bytes are the IP address of the controller, followed by 6 bytes
that represent the rogue AP MAC address. Then, there are 18 bytes of zeroes.

Steps of how RLDP
works are listed here:

Identify the
closest Unified AP to the rogue using signal strength values.

The AP then
connects to the rogue as a WLAN client, attempting three associations before
timing out.

If
association is successful, the AP then uses DHCP to obtain an IP address.

If an IP
address was obtained, the AP (acting as a WLAN client) sends a UDP packet to
each of the controller's IP addresses.

If the
controller receives even one of the RLDP packets from the client, that rogue is
marked as on-wire with a severity of critical.

Note

The RLDP packets
are unable to reach the controller if filtering rules are placed between the
controller's network and the network where the rogue device is located.

Caveats of RLDP:

RLDP only
works with open rogue APs broadcasting their SSID with authentication and
encryption disabled.

RLDP requires
that the Managed AP acting as a client is able to obtain an IP address via DHCP
on the rogue network.

Manual RLDP
can be used to attempt an RLDP trace on a rogue multiple number of times.

During RLDP
process, the AP is unable to serve clients. This negatively impacts performance
and connectivity for local mode APs. To avoid this case, RLDP can be
selectively enabled for Monitor Mode AP only.

RLDP does not
attempt to connect to a rogue AP operating in a 5GHz DFS channel.

Note

RLDP is not
supported for use with Cisco autonomous rogue access points. These access
points drop the DHCP Discover request sent by the RLDP client. Also, RLDP is
not supported if the rogue access point channel requires dynamic frequency
selection (DFS). If the automatic RLDP attempt does not detect the rogue (due
to a noisy RF environment, for example), the controller does not retry.
However, you can initiate RLDP manually on a rogue device.

Detecting Rogue
Devices

The controller
continuously monitors all the nearby access points and automatically discovers
and collects information on rogue access points and clients. When the
controller discovers a rogue access point, it uses the Rogue Location Discovery
Protocol (RLDP) and the rogue detector mode access point is connected to
determine if the rogue is attached to your network.

Controller
initiates RLDP on rogue devices that have open authenticated and configured. If
RLDP uses Flexconnect or local mode access points, then clients are
disconnected for that moment. After the RLDP cycle, the clients are reconnected
to the access points. As and when rogue access points are seen
(auto-configuration), the RLDP process is initiated.

You can configure the
controller to use RLDP on all the access points or only on the access points
configured for the monitor (listen-only) mode. The latter option facilitates
automated rogue access point detection in a crowded radio frequency (RF) space,
allowing monitoring without creating unnecessary interference and without
affecting the regular data access point functionality. If you configure the
controller to use RLDP on all the access points, the controller always chooses
the monitor access point for RLDP operation if a monitor access point and a
local (data) access point are both nearby. If RLDP determines that the rogue is
on your network, you can choose to contain the detected rogue either manually
or automatically.

RLDP detects on
wire presence of the rogue access points that are configured with open
authentication only once, which is the default retry configuration. Retries can
be configured using the
config rogue ap rldp
retries command.

Auto RLDP. You can
configure auto RLDP on controller either from controller CLI or GUI but keep in
mind the following guidelines:

The auto RLDP option can be
configured only when the rogue detection security level is set to custom.

Either auto RLDP or
schedule of RLDP can be enabled at a time.

A rogue access point is moved
to a contained state either automatically or manually. The controller selects
the best available access point for containment and pushes the information to
the access point. The access point stores the list of containments per radio.
For auto containment, you can configure the controller to use only the monitor
mode access point. The containment operation occurs in the following two ways:

The container access point
goes through the list of containments periodically and sends unicast
containment frames. For rogue access point containment, the frames are sent
only if a rogue client is associated.

Cisco Prime
Infrastructure Interaction and Rogue Detection

Cisco Prime
Infrastructure supports rule-based classification and uses the
classification rules configured on the controller. The controller sends traps
to
Cisco Prime
Infrastructure after the following events:

If an unknown access point
moves to the Friendly state for the first time, the controller sends a trap to
Cisco Prime
Infrastructure only if the rogue state is Alert. It does not send a trap
if the rogue state is Internal or External.

If a rogue entry is removed
after the timeout expires, the controller sends a trap to
Cisco Prime
Infrastructure for rogue access points categorized as Malicious (Alert,
Threat) or Unclassified (Alert). The controller does not remove rogue entries
with the following rogue states: Contained, Contained Pending, Internal, and
External.

How to Configure Rogue Detection

Configuring Rogue
Detection (CLI)

SUMMARY STEPS

1.configureterminal

2. wireless wpsroguedetectionmin-rssirssi in
dBm

3. wireless wpsroguedetectionmin-transient-time time in
seconds

4.end

DETAILED STEPS

Command or Action

Purpose

Step 1

configureterminal

Example:

Switch# configure terminal

Enters global configuration mode.

Step 2

wireless wpsroguedetectionmin-rssirssi in
dBm

Example:

Switch(config)# wireless wps rogue detection min-rssi 100

Specify the
minimum RSSI value that rogues should have for APs to detect and for rogue
entry to be created in the
switch.

Valid range for
the rssi in dBm parameter is –128 dBm to -70 dBm, and the default value is -128
dBm.

Note

This feature
is applicable to all the AP modes. There can be many rogues with very weak RSSI
values that do not provide any valuable information in rogue analysis.
Therefore, you can use this option to filter rogues by specifying the minimum
RSSI value at which APs should detect rogues.

Step 3

wireless wpsroguedetectionmin-transient-time time in
seconds

Example:

Switch(config)# wireless wps rogue detection min-transient-time

Specify the
time interval at which rogues have to be consistently scanned for by APs after
the first time the rogues are scanned.

Valid range for
the time in sec parameter is 120 seconds to 1800 seconds, and the default value
is 0.

Note

This feature
is applicable to APs that are in monitor mode only.

Using the
transient interval values, you can control the time interval at which APs
should scan for rogues. APs can also filter the rogues based on their transient
interval values.

This feature
has the following advantages:

Rogue
reports from APs to the controller are shorter

Transient rogue entries are avoided in the controller

Unnecessary memory allocation for transient rogues are avoided

Step 4

end

Example:

Switch(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configuring Rogue
Detection (GUI)

Step 1

Make sure that rogue detection is enabled on the
corresponding access points. Rogue detection is enabled by default for all
access points joined to the controller (except for OfficeExtend access points).
However, you can enable or disable rogue detection for individual access point
by choosing
Configuration > Wireless > Access
Policies > All APs to open Edit AP page,
selecting or unselecting the
Rogue Detector
check box in the General area of the Edit AP page.

Choose one of the following options from the
Rogue
Location Discovery Protocol drop-down list:

Disable—Disables RLDP on all the access points. This
is the default value.

All APs—Enables RLDP on all the access points.

Monitor Mode APs—Enables RLDP only on the access
points in the monitor mode.

Step 4

In the
Expiration Timeout for Rogue AP and Rogue Client
Entries text box, enter the number of seconds after which the rogue
access point and client entries expire and are removed from the list. The valid
range is 240 to 3600 seconds, and the default value is 1200 seconds.

Note

If a rogue access point or
client entry times out, it is removed from the controller only if its rogue
state is Alert or Threat for any classification type.

Step 5

To use the AAA server or local database to
validate if rogue clients are valid clients, select the
Validate Rogue Clients
Against AAA check box. By default, the check box is unselected.

Step 6

If necessary, select the
Detect and Report Adhoc
Networks check box to enable adhoc rogue detection and reporting.
By default, the check box is selected.

Step 7

In the
Rogue Detection Report
Interval text box, enter the time interval, in seconds, at which
APs should send the rogue detection report to the controller. The valid range
is 10 seconds to 300 seconds, and the default value is 10 seconds.

Step 8

If you want the controller to
automatically contain certain rogue devices, enable the following parameters.
By default, these parameters are in disabled state.

Caution

When you select any of the
Auto Contain parameters and click
Apply, the following message is displayed:
“Using this feature may have legal consequences. Do you want to
continue?” The 2.4-GHz and 5-GHz frequencies in the Industrial,
Scientific, and Medical (ISM) band are open to the public and can be used
without a license. As such, containing devices on another party’s network could
have legal consequences.

Auto Containment Level—Set the auto containment
level. By default, the auto containment level is set to
1.

Rogue on Wire—Configure the auto containment of
rogues that are detected on the wired network.

Using Our SSID—Configure the auto containment of
rogues that are advertising your network’s SSID. If you leave this parameter
unselected, the controller only generates an alarm when such a rogue is
detected.

Valid Client on Rogue AP—Configure the auto
containment of a rogue access point to which trusted clients are associated. If
you leave this parameter unselected, the controller only generates an alarm
when such a rogue is detected.

Adhoc Rogue AP—Configure the auto containment of
adhoc networks detected by the controller. If you leave this parameter
unselected, the controller only generates an alarm when such a network is
detected.

Step 9

Click
Apply.

Step 10

Click
Save
Configuration.

Monitoring Rogue
Detection

This section
describes the new command for rogue detection.

The following
command can be used to monitor rogue detection on the
switch.

Table 1 Monitoring Rogue
Detection Command

Command

Purpose

show wireless wps rogue ap summary

Displays a
list of all rogue access points detected by the
switch.

show wireless wps rogue client detailedclient-mac

Displays
detailed information for a specific rogue client.

Examples: Rogue
Detection Configuration

This example shows
how to configure the minimum RSSI that a detected rogue AP needs to be at, to
have an entry created at the
switch:

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources,
including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.

To receive security and technical information about your
products, you can subscribe to various services, such as the
Product Alert Tool (accessed from Field Notices), the Cisco
Technical Services Newsletter, and Really Simple Syndication
(RSS) Feeds.

Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.